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Since the negative result of Lo (Physical Review A, 1997), it has been left open whether there 
exist some functions that can be securely computed in two-party setting in quantum domain when 
one of the parties is malicious. In this paper, we for the first time, show that there are some 
functions for which secure two-party quantum computation is indeed possible for non-simultaneous 
channel model. This is in sharp contrast with the impossibility result of Ben -Or et al. (FOGS, 
2006) in broadcast channel model. The functions we study are of two types - one is any function 
without an embedded XOR, and the other one is a particular function containing an embedded XOR. 
Contrary to classical solutions, security against adversaries with unbounded power of computation 
is achieved by the quantum protocols due to entanglement. Further, in the context of secure multi¬ 
party quantum computation, for the first time we introduce rational parties, each of whom tries to 
maximize its utility by obtaining the function output alone. We adapt our quantum protocols for 
both the above types of functions in rational setting to achieve fairness and strict Nash equilibrium. 


I. INTRODUCTION 

In a secure two-party computation, two parties or play¬ 
ers want to compute a particular function of their inputs 
keeping the inputs secret from each other. They are only 
allowed to obtain the output of the function preserving 
some security notions under certain adversarial model. 

The secure two-party computation is a special case 
of ‘Secure Multi-party Computation’ (SMC). In classical 
domain, the SMC problem has been studied extensively. 
The security of classical SMC comes from some compu¬ 
tational hardness assumptions and thus is conditional. 
On the other hand, in quantum domain the adversary is 
always assumed to have unbounded power of computa¬ 
tion and the security of a protocol comes from the laws 
of physics. This is why many researchers have tried to 
exploit the quantum mechanical effect [ij to solve the 
problems of SMC [1-0 ■ 

In [1|, it is pointed out that there are some functions 
which can not be securely evaluated in quantum domain 
for two-sided 0 two party setting. Later, Ben -Or et 
al. m generalized it by showing an impossibility result 
for n players, when there are ^ or more faulty players. 
Since the work of 0 in 1997, in case of two-party quan¬ 
tum computation, some additional assumptions, such as 
the semi-honest third party etc., have been introduced to 
obtain the secure private comparison iid. 

Yao’s millionaires’ problem [Il| is one of the examples 
of the secure two-party computation. Yao’s millionaires’ 
problem [T^, or more precisely, the ‘greater than’ func¬ 
tion deals with two millionaires, Alice and Bob, who are 
interested in finding who amongst them is richer, with¬ 
out revealing their actual wealth to each other. Much 
effort has been giv en to solve this problem in quantum 
domain iS il, all of which analyzed the security 


issues against several eavesdropping strategies. Jia et 
al. 0 dealt the problem with semi-honest party. In 0, 
the millionaires’ problem is studied considering continu¬ 
ous variable. He 0 exploited the idea of quantum key 
distribution to solve the problem. Tseng et al. 0 pro¬ 
posed the use of Bell state to solve this problem. Their 
protocol also exploits a third party to assist the players. 
Yang et al. 0 showed the vulnerability of their proto¬ 
col if the thirdparty is disloyal. However, none of these 
works 0-000[l3 analyze the security issues consider¬ 
ing malicious players. 

In classical domain the subsequent work by Gordon et 
al. [Il,[i3 showed that any function over polynomial-size 
domains which does not contain an “embedded XOR” 
can be converted into the greater than function or more 
specihcally into the millionaires’ problem. Hence, mil¬ 
lionaires’ problem covers all functions without embedded 
XOR. Gordon et al. also studied a function which has an 
embedded XOR [13, [ill , namely, a function that simply 
checks whether the inputs chosen by two players (from a 
specified domain) are equal or not. Exploiting the idea of 
Gordon et ah, we for the first time design two quantum 
protocols for these two distinct sets of functions and ana¬ 
lyze the security issues when players are malicious unlike 
the existing quantum protocols 0-0 0 0[l3 ■ 

Further, we analyze our new quantum protocols con¬ 
sidering rational players and this is the first work on se¬ 
cure multi-party quantum computation in rational set¬ 
ting. Rational players are neither ‘good’ nor ‘malicious’, 
they are utility maximizing. Each rational party wishes 
to learn the output while allowing as few others as possi¬ 
ble to learn the output. Thus, each rational party chooses 
to abort to maximize its utility. This rationality concept 
comes from game theory. Recently, signihcant effort has 
been given towards bridging the gap between two ap- 
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parently unrelated domains, namely, cryptography and 
game theory [TMl. Cryptography deals with the worst 
case scenario, making the protocols secure against mali¬ 
cious behaviour of a party. However, in game theoretic 
perspective, a protocol is designed against the rational 
deviation of a party. Very recently, Brunner and Lin¬ 
den dl showed a deep link between quantum physics 
and game theory. By bringing quantum mechanics into 
a class of games, known as Bayesian games, they showed 
that players who can use quantum resources, such as en¬ 
tangled quantum particles, can outperform classical play¬ 
ers. In quantum domain, the concept of rational players 
in secret sharing has been first introduced in [2^ . In this 
paper, we identify that fairness in secure two-party com¬ 
putation in non-rational setting does not imply fairness 
in rational setting. In rational setting, we modify the 
protocols to achieve both fairness as well as strict Nash 
equilibrium pm. 

A. Contributions 

Below we summarize our contributions in this work. 

1. For the first time in quantum domain, we identify 
that for non-simultaneous channel model, there ex¬ 
ist some functions which can be computed in two- 
party setting with complete fairness when one of 
the parties acts maliciously. We consider two sets 
of functions. One set consists of the functions with¬ 
out embedded XOR, whereas the other set deals 
with a specific function having an embedded XOR. 

2. We also consider rational adversaries and modify 
our protocols accordingly to achieve both fairness 
and strict Nash equilibrium. To our knowledge, 
ours is the first work on secure multi-party quan¬ 
tum computation in the rational setting. 

3. Our protocols are secure against both Byzantine as 
well as Fail-stop adversaries in both non-rational 
and rational settings. 

B. Key Differences from Prior Works 

Here we highlight the key differences of our protocols 
from the existing quantum protocols for secure two and 
multi-party computation. 

1. Lo 0 showed that, there are certain functions for 
which two-sided secure two-party quantum com¬ 
putation is impossible if one of them is malicious. 
Ben -Or et al. m proved that assuming pairwise 
quantum channels and classical broadcast channels 
among the n players, a universally composable, sta¬ 
tistically secure multi-party quantum computation 
is possible for less than ^ faulty players. On the 
other hand, we identify that in non-simultaneous 


channel model, both the millionaires’ and the em¬ 
bedded XOR problem can be solved in quantum 
domain with complete fairness when one of the par¬ 
ties is malicious. 

2. Our protocols differ from the existing quantum pro¬ 
tocols for private comparison in the 

sense that all these protocols analyze the secu¬ 
rity issues against several eavesdropping strategies. 
None of those consider malicious players. Contrary 
to this, we analyze the security of our protocols 
considering malicious behaviour of the players. In 
our protocols there are no external adversary. 

II. PRELIMINARIES 

In this section we explain what is meant by functional¬ 
ity, two-party computation, ideal and real world model, 
security of a protocol, Byzantine and fail-stop adversary 
used in this work. We also define fairness in non-rational 
as well as rational settings. We identify that when we 
move from one model to another, the definition of fair¬ 
ness changes. Further, we define strict Nash equilibrium 
for two players game in the rational setting. 

A. Functionality 

In classical domain and in two-party setting, a func¬ 
tionality = {/a}agn is a sequence of randomized pro¬ 
cesses, where A is the security parameter and /a maps 
pairs of inputs to pairs of outputs (one for each party). 
Explicitly, we can write fx = ifUl), where fl (resp. 
fl) represents the output of the first party, say Pi (resp. 
output of the second party, say P 2 ). The domain of fx 
is Xx X Yx, where Xx (resp. Ia) denotes the possible 
inputs of the first (resp. second) party. If the domain 
sizes |Aa| and |y\| are polynomial in A, then we say that 
P is defined over polynomial size domains. If each fx is 
deterministic we say that each fx as well as the collection 
is a function. 


B. Two-Party Computation 

In classical domain, the two-party computation of a 
functionality P = {/a,/a} is defined as follows. If a 
party Pi is holding I^ and a input x G Xx and a party 
P 2 is holding I^ and a input y G Vx, then the joint distri¬ 
bution of the outputs of the parties is statistically close 
to ifi(x,y)Jl(x,y)). 

C. Ideal vs. Real World model 

In ideal world model we assume that there is an incor¬ 
ruptible trusted third party who computes the function 
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in behaves of Pi and P 2 - Pi and P 2 send their inputs 
to the TTP who computes the functionality and returns 
the value to each party. On the other hand, in real world 
model there is no trusted party to compute the func¬ 
tionality, rather a protocol is executed to compute the 
functionality. 

Here, along the same line as [a M , we assume a 
hybrid world model, where there is a trusted third party 
who computes the function like in the ideal world and dis¬ 
tributes the shares of the function’s output like a dealer 
in secret sharing [^ 1 between the players. The players 
construct the output by exchanging their shares. In our 
hybrid world model we call the TTP as a dealer. 

The security of a protocol depends upon what an ad¬ 
versary can do during the real protocol execution. In 
ideal world, as there is an incorruptible trusted third 
party who computes the function and sends the output to 
the participants the computation is secure by definition. 
However, in real world model there is no trusted party. 
If the adversary who exists in the real model can do no 
more harm than the ideal scenario, then we say that the 
protocol is secure. 

D. Fail-stop and Byzantine Adversarial Model 

In the fail-stop setting, each party follows the proto¬ 
col as directed except that it may choose to abort at 
any time fisj ] and a party is assumed not to change its 
input when running the protocol. On the other hand, 
in Byzantine setting, a deviating party may behave arbi¬ 
trarily. It may change the inputs or may choose to abort. 
Since Byzantine adversary covers all the characteristics 
of a fail-stop adversary, it is very natural to consider 
only Byzantine setting. If a protocol is secure against a 
Byzantine adversary, it must be secure against a fail-stop 
adversary. Hence, throughout the paper we analyze the 
security issues against Byzantine adversary only. 

E. Security in Non-rational Setting 

In non-rational setting, the move of a player is de¬ 
cided by his adversarial nature not by his utility func¬ 
tion; whereas in rational setting every move of a player 
is guided by his utility. 

1 . Fairness 

For fairness in non-rational setting, we need to intro¬ 
duce some terminologies. Let us assume that Pi begins 
by holding an input x G X and P2 begins by holding an 
input y €Y, and 2 S {0,1}* is the auxiliary input of the 
adversary. Let {/£>F;ALjr_5(^)(a;, ?/)}(a;,J^)£XxF,^e{o,l}• 
represent a pair of two random variables denoted by 
VIEW and OUT, where VIEWideai{x,y) represents the 
output of the party who is corrupted by the adversary S 


and OUTideai(x,y) represents the output of the honest 
party in the ideal world. Thus, we can write 

{IDEALjr y)}(a:,y)eXxY,zG{0,l}* 

= {VIEWtdeai{x, y), OUT^deai{x, y))■ 

Similarly, let ?/)}(x,y)GJf xy, 2 e{o,i}* 

represents a pair of two random variables, 
namely VIEWreai{x,y) and OUTreaiix,y), where 
VIEWreai{x,y) denotes the random variable in real 
world consisting of the view of the player corrupted 
by the adversary A and OUTreai{x,y) represents the 
random variable consis ting of the output of the honest 
party in the real world |22l |. 

Definition 1. (Fairness) A protocol 11 is said to securely 
compute a functionality E with complete fairness if for 
every adversary A, having unbounded power of computa¬ 
tion in the real model, there exits an adversary, S, with 
same computational complexity in the ideal model such 
that 

{IDEALjr gi^^^{x, y)}(x,y)£XxY,z£{0,l}* 

= {REALyi^a{z){x, y)}{x,y)&XxY,z&{0,l}*- 

Note that, here we do not require a security parameter 
A as we consider our adversary has unbounded power of 
computation. 

In our hybrid model, the fairness condition is as fol¬ 
lows. 

Definition 2. (Fairness) A protocol 11 is said to securely 
compute a functionality E with complete fairness if for 
every adversary A, having unbounded power of compu¬ 
tation in the hybrid model, there exits an adversary, S, 
with same computational complexity in the ideal model 
such that 

{IDEALjr gi^^^{x, y)}(x,y)^XxY,z^{0,l}* 

= {HY{x, y)}[x,y)^XxY,z^{0,l}* ■ 

here, REAL is replaced by HYBRID which is the 
random variable consisting of the view (VIEW) of the 
adversary and the output [OUT) of the honest party in 
the hybrid world in the same manner as above. 

F. Rational Setting and its Security 

We define a function reconstruction protocol with ratio¬ 
nal players to be a pair (T, o^), where F is the game (i.e., 
specification of allowable actions) and o^=(cri,..., cr„) 
denotes the strategies followed by n number of players. 
We use the notations and respectively 

for (fTi,..., (7yj—i, ..., fJ^) and (.ci,..., w^ 

Gw+i, • ■ •, CT„). The outcome of the game is denoted by 

(F, 0 ^)=(oi,..., On). The set of possible outcomes with 
respect to a party Pw is as follows. I) Pw correctly com¬ 
putes /, while others do not; 2) everybody correctly com¬ 
putes /; 3) nobody computes /; 4) others computes / 
correctly, while Pw does not. 


4 


The output that no function is computed is denoted 
by _L (i.e., null as in H)- 

1. utilities and Preferences 

The utility function of each party is defined over 
the set of possible outcomes of the game. The outcomes 
and corresponding utilities for two parties are described 
in Table d We here assume that the utility values are 
real. 

TABLE I: Outcomes and Utilities for ( 2 , 2 ) rational function 
reconstruction 


Pi’s outcome P2’s outcome Pi’s Utility P2’s Utility 
(oi)(02) Ui{oi,02) 1^2(01,02) 


01=/ 

02=/ 

ur 

ur 

oi=T 

02—I. 

UNn 

ur 

01= f 

02 ~E 


ur 

oi=T 

02 = / 

ur 

ur 


Players have their preferences based on different possi¬ 
ble outcomes. In this work, a rational player w is assumed 
to have the following preference: 

TZi : Ul^ > UY > 

2. Fairness 

In non-rational setting, the security of a protocol is 
analyzed by comparing what an adversary can do in a 
real protocol execution to what it can do in an ideal sce¬ 
nario that is secure by definition [l3, [IB HBl- This is 
formalized by considering an ideal computation involv¬ 
ing an incorruptible trusted party to whom the parties 
send their inputs. The trusted party computes the func¬ 
tionality on the inputs and returns to each party its re¬ 
spective output. Loosely speaking, a protocol is secure 
if any adversary interacting in the real protocol (where 
no trusted party exists) can do no more harm than if it 
were involved in the above-described ideal computation. 

A rational player, being selfish, desires an unfair out¬ 
come, i.e., computing the function alone. Therefore, the 
basic aim of rational computation has been to achieve 
fairness. According to Von Neumann and Morgenstern 
expected utility theorem [2^, under natural assumptions, 
the individual would prefer one prospect Oi over another 
prospect O 2 if and only if E[U{Oi) > E[U{02)]- The 
work [IBl implicitly uses the expected utility theorem to 
derive its results. We also use the same approach and 
accordingly redefine fairness as follows. 

Definition 3. (Fairness) A rational function reconstruc¬ 
tion mechanism (T, o^) is said to be completely fair if for 


a party P^, {w € {1,2}), who is corrupted by an adver¬ 
sary having unbounded power of computation, the follow¬ 
ing holds: 

ur>E[uM)], 

where Oi = {o},,..., o)} ;pi,... ,Pn'} is any prospect 
when the player deviates from the suggested strategy and 
n' is the number of possible outcomes. 

3. Strict Nash Equilibrium 

Now, we define Nash equilibrium for two players game. 
A suggested strategy of a mechanism (T, o^) is said to 
be in Nash equilibrium when there is no incentive for 
a player w G {1,2} to deviate from the suggested 
strategy, given that other player is following its suggested 
strategy. There are many variants of Nash equilibrium 
in game theory literature 0- However, in the quan¬ 
tum domain, the players are assumed to have unbounded 
computational power and hence the relevant equilibrium 
is the strict Nash equilibrium iUllB. We recall its defi¬ 
nition below. 

Definition 4. (Strict Nash equilibrium) The suggested 
strategy in the mechanism (T, o^) is a strict Nash equi¬ 
librium, if for every player Py,, w G {I, 2}, who possesses 
unbounded power of computation and for any strategy (t{, 
which deviates from the suggested strategy , we have 

-w) < 

III. REVISITING THE MILLIONAIRES’ 
PROBLEM dl 

In this section, we first describe the millionaires’ prob¬ 
lem or more precisely, the greater than function, pro¬ 
posed by Gordon et al. [Ij, [IB] . Let us denote two play¬ 
ers by Pi and P 2 . As we deal with hybrid model, there is 
a trusted party whom we call dealer. Suppose Pi has the 
secret i and P 2 has the secret I < * < M, I < j < M, 
where M is an integer. The dealer gives an ordered list 
X = {xi,X 2 , ■ ■ ■ ,xm} to Pi and another ordered list 
Y = { 2 / 1 , 2 / 2 , ,2/m} to P 2 . Then Pi sends Xi to the 

dealer and P 2 sends yj to the dealer. Let / be a deter¬ 
ministic function which maps X x Y {0,1} x {0,1}. 
The function f(xi, yj) can be defined as a pair of outputs, 
i.e., f{xi,yj) = {fi{xi,yj),f 2 {xi,yj)), where fi{xi,yj) is 
the output of the first party Pi and f 2 ixi, yj) is the out¬ 
put of the second party P 2 . For millionaires’ problem, 
the function is defined as follows [I10. For w = 1,2, 

fwixi,yj) = l^ 

10 if ^ < j. 

The protocol proceeds in a series of M iterations. 
The dealer creates two sequences {a;} and {bi}, I = 
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1,2,..., M, as follows. 

= bj = fi{xi,yj) = f2{x^,yj). 

For I ^ i, ai =_L and for I ^ j, bi =_L. 

Next, the dealer splits the secret ai into the shares aj 
and of, and the secret bi into the shares bj and bf, so 
that ai = aj 0 af and bi = b] © bf, and gives the shares 
{{aj, 6;^)} to Pi and the shares {{af, bf)} to P 2 - In each 
round /, P 2 sends af to Pi, who, in turn sends bj to P 2 - 
Pi learns the output value fi(xi,yj) in iteration i, and 
P 2 learns the output value f 2 (xi,yj) in iteration j. In a 
round I ^ i Pi outputs _L and in a round I ^ j P 2 output 
_L. As we require three elements, 0, 1 and _L, we define 
0 by 00, 1 by 11 and _L by 01. Note that the dealer who 
will distribute the shares is honest and can compute the 
function described in Equation ©• 

The algorithms in the Byzantine setting is same as the 
fail-stop setting except some additional steps. In Byzan¬ 
tine setting, the shares are signed by the dealer. As ex¬ 
plained in exploiting the MAC signature, we can 

resist the players to send a false share. 


IV. QUANTUM SOLUTION OF 
MILLIONAIRES’ PROBLEM IN NON-RATIONAL 
SETTING 


In this section, we propose a quantum version of mil¬ 
lionaires’ problem. It is the quantum analogue of the 
protocol of Gordon et al. in classical domain Bin. 
However, their security proof is based on some computa¬ 
tional hardness in classical domain. Whereas we exploit 
the property of entanglement to provide security of the 
protocol in the quantum domain. 

Here, we exploit four Bell state basis [ 2 ^. The 
maximally entangled two particle state is jgo) = 


V2 


|o)i 10)2 + 11)111)2 


This state is called Einstein, 


Podolsky, Rosen Pair, in short EPR pair or Bell state. 
There are four independent Bell states. They are 


Iso) = ^ [| 0 )i 10)2 + Il>i 11)2]. l 9 i) = I 0 )i | 0>2 - Il)i 11)2]. 
I;?2> = ^ [ | 0 ) Jl>2 -S |l)i |0>2 ]. Isa) = ^ [ |0)i |1>2 - |l)i 10)2 ]. 


Here, subscript 1 stands for Pi’s qubit and subscript 2 
stands for P 2 ’s qubit. We need any three of these orthog¬ 
onal states. In this work, without loss of generality, we 
consider I 50 ), \gi) and 1 ^ 2 )• 

Like classical case, the secret of Pi is i and the secret 
of P 2 is j, I < j < m, 1 < j < TO where to is an integer. 
They want to know whether i > j oi i < j. The dealer 
supplies them two ordered lists, X = {xi,X 2 , ■ ■ ■ ,Xm} 
to Pi and Y = {yi,y 2 , ■. ■ ,ym} to P 2 . Pi chooses Xi 
and P 2 chooses yj from their respective lists and send 
those to the dealer. Dealer will compute the function 
and will distribute the shares (here, qubits) in such a way 
that Pi will get the value of the function i.e fi{xi,yj) in 
iteration i and P 2 will get the value of the function i.e 


f 2 {xi, yj) in iteration j. The protocol proceeds in a series 
of TO iteration. In a round I ^ i Pi outputs T and in a 
round I ^ j P 2 outputs T. The Quantum solution of the 
millionaires’ problem in non-rational setting, is described 
in Algorithm[T]((5S'/iareGen) and Algorithm[2](np,^^). 


Inputs: 

The inputs of the QShareGen are Xi from Pi and yj from P2. 

If one of the received inputs is not in the correct domain, then 
both the parties are given _L. 

Computation: 

Dealer does the following: 

1 . (a) If fi{xi, yj) = /2(^2, yj) — 0 , prepares two copies 

of l^o) — 10)2 1^)1 1^)2)- denote them as 

IsQ and Is"). 

(b) If fi{xi,yj) — f2ixi,yj) — 1 ) prepares two copies 
of l^i) — "^(lO)! 10)2 ~ 1 ^) 1^)2)' denote them as 
|si) and Is"). 

2 . For each I ^ { 1 , m}, I ^ and I ^ j, prepares two 
copies of |S2> = ;7j(|0>i |1>2 d- |l>i lOia). 

3 . For I — i, prepares one copy of 

|S2> = | 0>2 -S | 0 )i | 1 > 2 )- We call that |sQ. 

4 . For I — j, prepares one copy of 

|S2) = ;7j(|l)i 10)2 -I- | 0 )i 11)2)- We call that |s2 )• 

Output: 

1 . For I G { 1 , 2 , . . . , m} dealer prepares a list list^j of 

shares for each party P^, where w G { 1 , 2 } such that for 
each round each player is given two qubits, marked as 1 st 
and 2 nd, from two different entangled states. 

(a) when I — i, Pi is given the first half from I^q) or 
depending on the value of fi{xi,yj) and the first 

half from the entangled state l^^)- ^2 is given the other 
halves. For each party, the qubit from I^q) or is 

marked as 1 st qubit for that round and the qubit from 
1^2) is marked as 2 nd qubit for that round. 

(b) when I — j, P2 is given the second half from 
depending on the value of f2{xi,yj) and the second 

half from the entangled state Pi is given the first 

halves. For each party, the qubit from 
marked as 2 nd qubit for that round and the qubit from 
1^2^) is marked as 1 st qubit for that round. 

(c) for all other rounds, Pi is given the first halves from 
two different I52) states, whereas P2 is given the other 
halves from the same entangled states. For each party 
the qubits are marked such a way that the 1 st (resp. 

2 nd) qubit of Pi is correlated with the 1 st (resp. 2 nd) 
qubit of P2. 

(d) each list contains 2 m number of qubits. 


Algorithm 1: QShareGen 


A. Security Analysis 


A Byzantine player can behave arbitrarily. He can ma¬ 
nipulate the shares (here, qubits) which he has obtained 
from the dealer or may abort early. In this subsection we 
will show how entanglement provides the security against 
such manipulation. The aborting case will be discussed 
next. 
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Inputs: 

Each of Pi and P2 receives his corresponding list of shares. 

Computation: 

The players do the following. 

1 . Each round is subdivided into two sub-rounds. 

2 . In first sub-round, P2 sends the first qubit of its list for 
that round to Pi. 

3 . In second sub-round, Pi sends the second qubit of its list 
for that round to P2. 

4 . After receiving the qubits from P2, Pi measures the two 
qubits in Bell basis. 

(a) If I ^ i and the measurement result is l^o) or l^i) 
or 1 53), aborts the protocol and reports forgery by P2. If 
it is 1^2)5 concludes _L. 

(b) If I — i and the measurement result is I52) or I53), 
then aborts the protocol and reports forgery by P2. If 
the measurement result is l^o)? concludes fi{xi,yj) — 0. 
If it is l^i), concludes fi{xi,yj) — 1 . 

5 . After receiving the qubits from Pi, P2 measures the two 
qubits in Bell basis. 

(a) If I ^ j and the measurement result is l^o) or l^i) 
or I53), aborts the protocol and reports forgery by Pi. f 
it is 152)5 concludes _L. 

(b) If I — j and the measurement result is I52) or I53), 
then aborts the protocol and reports forgery by Pi. If 
the measurement result is 150)5 concludes f2{xi,yj) — 0 . 
If it is 1 51), concludes f2{xi, yj) — 1 . 

Output: 

1. Pi obtains its output value i.e either 0 or 1 depending 
upon fi{xi,yj) in iteration i whereas P2 obtains its 
output value i.e either 0 or 1 depending upon f2{xi,yj) 
in iteration j. 

2 . If P2 aborts in round Z, i.e., does not send its share at 
that round and Z < Pi outputs 1 . If Z > i. Pi has 
already determined the output in iteration i. Thus it 
outputs that value. 

3 . If Pi aborts in round Z, i.e., does not send its share at 
that round and Z < j, P2 outputs 0 . If Z > j, P2 has 
already determined the output in iteration j. Thus it 
outputs that value. 


Algorithm 2: 11^^^ 


1. Security against Forgery 


Without loss of generality, let us assume that Pi tries 
to manipulate the qubits obtained from the dealer in the 
motivation to convey the wrong message to P2- Here, 
manipulation means sending arbitrary qubit or swapping 
the qubits of his list. This forgery is detected with sig¬ 
nificant probability. Here, we assume that Pi sends an 
arbitrary qubit to P2 in a round 1 . The analysis will be 
same if we consider the swapping of the qubits of his list. 

Like classical MAC signature, in quantum domain, en¬ 
tanglement provides security against such forgery. Ac¬ 
cording to the protocol, in round I ^ j, if no cheating 


occurs, then P2 will get I52) = | 0 );^ \l)^ -b |l)i |0)2 

In terms of density matrix it can be written as 


P=^(| 0 )l 11)2 + 11)1 |0)2)((0|i(l|2+(l|l {012)- 


Now, let us assume that Pi sends an arbitrary qubit 
which is \(j)) = [010)3 + /5|1)3]’ instead of the correct 
one. In terms of density matrix, the arbitrary state can 


be written as 


P 3 = 


|ano)3 ( 0 |+a */3 11)3 (01 + 0 / 3 * 10)3 (I| 


11)3(11 


Thus, the state at the end of P2 would be 


P2 = [ifPi(p)](P 3 ) 

= ^ [11)2 (ii (i«P 10)3 (oi+11)3 (oi+10)3 (ii 
+ |/ 3 P 11)3(11)+10)2(01 (|on 0 ) 3 ( 0 | + o*/ 3 |l )3 ( 0 | 
+0/3*10)3 (ii+ i/ 3 r 11)3(11 )^ 


In this case, when P2 will measure qubit 2 and qubit 
3 in Bell basis, after measurement, P2 will get either |(/o) 
or \gi) or [(72) or [^3) with probability | instead of [(72) 
only. The detailed calculations are given here. For the 
rest of the paper, we will refer this section. 

Let us assume that P2 obtains |/7o) after measurement. 
Thus, the probability that P2 obtains [go) is given by 


[30)23 (30 1 (32) = (30 1 32 I30) 


23 


(( 00|23 + (II| 23 )[|l) 2 (l|(l«n 0 ) 3 ( 0 | 


1 

4 

+o */3 11)3(01+ 0/3* 10)3(11 + 1/3^11)3(11 
+10)2 ( 0 |(|on 0 ) 3 ( 0 |+o */3 11)3(01 
+ 0 / 3 * 10)3 ( 1 | + |/ 3 p 11)3 ( 1 | )] ( 100)23 + 111)23 ) 


1 

41 


|aP + 


If I 7b j/ according to our protocol, P2 should get [<72) 
only. But as Pi sends an arbitrary qubit to P2, when 
measured, P2 gets any one of the four Bell states with 
probability Thus, ii I ^ j and P2 gets [(/o) or [gi) or 
[(73), he immediately concludes that Pi is cheating. The 
success probability of detecting such cheating for a round 
^ 7^3 is |. 

Similarly, when I = j, if Pi does not cheat, P2 would 
get either [(/o) or [gi) depending on the value of f2{xi,yj). 
However, if Pi cheats, when measured, P2 will get any 
one Bell state. In case of [go) and jgi), he can not de¬ 
tect the cheating because he does not know the value of 
f2{xi,yj) a priori. However, if he gets [(72) or [(73), he 
immediately detects the cheating with certainty. Thus, 
the success probability of detecting the cheating when 
I = j is As, Pi have no idea about the value of j, the 
average success probability of detecting such cheating is 

^ Pr(l 7^ 3) + ^ Pr(/ = j) = ^[Pr(/ < j) + Pr(/ > j)] 

+ ^Pr(^ = 3 )- 
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We do not bother about Pr(/ > j) because, P2 should 
have no incentive to detect the cheating when I > j, as 
he has already got his output value in round j. Thus the 
total success probability of P2 to detect such cheating is 


^Pr(/ < j) + ipr(/ = j) 


3 j - 1 11 

4 TO 2 TO 


3 j-l 

4 to 


Theorem 1 . In non-rational setting, the success proba¬ 
bility of P2 to detect cheating by Pi who is corrupted by 
a Byzantine adversary in an arbitrary round I is ■ 

Same conclusion can be drawn when we assume P2 is 
corrupted. In this case, we modify the theorem in the 
following way. 

Theorem 2 . In non-rational setting, the success proba¬ 
bility of Pi to detect cheating by P2 who is corrupted by 
a Byzantine adversary in an arbitrary round I is ^ 

a ty a rpn 


2. Fairness against Early Abort 

As Pi is always computing its output first followed 
by P2, the aborting of Pi plays an important role to 
achieve the fairness of the protocol. The early abort of 
P2 will terminate the protocol up to that round in which 
P2 aborts. In that case, either both get the output or 
none gets the output. Thus, early abort of P2 does not 
affect the fairness condition. We now concentrate on the 
early abort of Pi. 

Let us assume that Pi aborts in round 1 . There are 
two cases: i < j and i > j. We analyze each case one by 
one. 

Case 1: i < j. 

Subcase 1(a): I < i. In this case. Pi outputs T and 
P2 outputs 0 . In ideal world model, the trusted party 
sends fi{xi,yj) to Pi in iteration i and f2{xi,yj) to P2 
in iteration j. In all other rounds trusted party sends 
T to both Pi and P2. If a party (say Pi) aborts the 
protocol in an arbitrary round I after getting the output, 
the trusted party sends the honest party (here, P2) the 
value of f2(xi,yj). Thus when Pi aborts in round I < i, 
Pi outputs T whereas P2 outputs /2 (xi ,yj). As i < j and 
I < i, then I < j. So f2(^x1, yj) = 0 (refer to Equation [T]) . 
Hence, 

Pr [(viEWideai{x,v),OUTi,i^ai{x,y)') = (-L.0)|; < iA* < j] 

= Pr \^(viEWhybr-id(x, y),OUThybrid{x, y)^ = (_L, 0) |i < i A * < l] ■ 

Subcase 1(b): I = i. In this case, Pi obtains the correct 
output i.e. 0 and P2 outputs 0 . In ideal model, when Pi 
aborts in round I = i, trusted party has already sent 
0 to Pi and f2{xi,yj) to P2- As i < j, f2{xi,yj) = 0 
(Equation [T]). Hence, 

Pr [(viEWideui{x,y),OUTi 

deai(^:y)^ — 

= Pr \^(viEWhybrid(x, v),OUTi,ybridix, y)') = (0, 0) |i = i A * < t] ■ 

Subcase 1(c): I > i. Here two cases can arise, i) i < 
^ < Jj in this case. Pi obtains correct output and P2 
outputs 0. ii) i = j < /, in this case, both Pi and P2 


have already obtained 0 . In ideal model, if Pi aborts in 
round I > i. Pi has already got its output value whereas 
trusted party sends f2{xi,yj) to P2- When i < I < j, 
then f2{xi,yj) = 0 (Equation [T]) whereas for i = j, P2 
has already got the correct output i.e 0 . Hence, 
PT[(viEWid^ai{x,y),OUTid^ai{x,y)) = (0.0)|z >iAi<j] 

= Pr \^(viEWhybrid{x, y), OUThybrid(x, y)) = ( 0 , 0 )|i > i A * < i] ■ 

Case 2: i > j. 

Subcase 2(a): I < j. In this case. Pi outputs T and P2 
outputs 0 . In ideal model, if Pi aborts in round I < j. Pi 
outputs T and trusted party sends f2{xi,yj) to P2. As 
^ < j, f2{xi,yj) = 0 (Equation [T]). Hence, 

Pr [(^VIEWideaiix,y),OUTi deal — (-L, 0 ) 1^ ^ J A ^ ^ 

= Pr ^(viEWhybrid{x, y), OUThybrid(x, y)') = (-L, 0 )|i < j A » > t] ■ 

Subcase 2(b): j < I < i. In this case. Pi obtains T 
and P2 gets the correct output i.e. I. In ideal model, 
if Pi aborts in round j < I < i. Pi is given T whereas 
the trusted party sends f2{xi,yj) to P2. As j < I, then 
f2{xi,yj) = 1 (Equation [T]). Hence, 

Pr [(viEWideal{x,y),OUTideal(x,y)') = (_L, l)|j < i < i Ai > j] 
= Pr I EWhybridix, y), OUThybrid{x,y)) = (-L, 1 ) |j < I < i A * > 

4 

Subcase 2(c): j <l = i. In this case. Pi and P2 both 
obtain the correct output i.e. 1 . In ideal model, if Pi 
aborts in round j < I = i. Pi is given 1 whereas the 
trusted party sends f2{xi,yj) to P2- As j < I = i, then 
f2{xi,yj) = f2{xi,yi) = I (Equation [T]). Hence, 

Pr [(yiEWid„ai(x,y),OUTideai{x,y)) = ( 1 , 1 ) |i <l = %Ai> j\ 

= Pr Yy^^^hybridix, y), OUThybrid(x, y)) = (l,l)|i < I = i Ai > 

4 

When i < I < m. Pi has no incentive to abort as in this 
case both Pi and P2 have already obtain their respective 
outputs. 

Hence, from the above analysis, we can conclude that 
in the hybrid model, the adversary does no more harm 
than the ideal scenario. Thus our protocol achieve fair¬ 
ness in non-rational setting. 

Theorem 3. In non-rational setting, the protocol 
achieves fairness. 


V. QUANTUM SOLUTION OF MILLIONAIRES’ 
PROBLEM IN RATIONAL SETTING 

As discussed in Section Hi F 21 the definition of fairness 
changes in rational setting. Thus, we have to modify our 
protocol in Section [IV] for rational setting. 

Our proposed protocol is described in Algorithm [ 3 ] 
(QRShareGen) and Algorithm[ 4 ] (IIpj^^^). Here, some 
additional assumptions are required. For example, un¬ 
like the non-rational setting, both the players obtain the 
value of the function in a specific round called revelation 
round. We denote this by r. The position of r in m 
number of iteration is not revealed to the players and is 







Inputs: 

The inputs of the QRShareGen are xi from Pi and yj from P2. 

If one of the received inputs is not in the correct domain, then 

both the parties are given _L. 

Computation: 

Dealer does the following; 

1 . Chooses r according to a geometric distribution ^(7) 
with parameter 7 and sets it as the revelation round, i.e., 
the round in which the value of f{xi, yj) — (0, 0) or 

(i.i). 

2 . Chooses d according to the geometrical distribution ^(7) 
and sets the total number of iterations as m — r -\- d. 

3 . For the revelation round, i.e., when I — r, dealer does the 
following: 

(a) If f(xi,yi) — ( 0 , 0 ), prepares two copies of 

(b) If f{xi,yj) — ( 1 , 1 ), prepares two copies of 

| 3 i> = ;^(|0>i|0 >2-|1>|1>2). 

4 . For each I G { 1 , . . . , m}, I ^ r, prepares two copies of 

IS2> = ;^(|0),|1>2 + |1>i|0>2). 

Output: 

1 . For I G { 1 , 2 , . . . , m} dealer prepares a list listuj of 

shares for each party Puj, where w G {1, 2} such that for 
each round each player is given two qubits, marked as 1st 
and 2nd, from two different entangled states. 

(a) when I — r, Pi is given 1 st halves from two copies of 
Ipo) or I51) depending on the value of f{xi,yj) and P2 is 
given the second halves from the same entangled states. 

(b) for all other rounds. Pi is given first halves from 
two different \g2) states, whereas P2 is given the 
remaining halves from the same entangled states. 

(c) The marking of the qubits for a round for each 
party is such that the 1st (resp. 2nd) qubit of Pi is 
correlated with the 1st (resp. 2nd) qubit of P2. 

(d) each list contains 2m number of qubits. 


Algorithm 3: QRShareGen 


Inputs: 

Each of Pi and P2 receives his corresponding list of shares. 

Computation: 

The players do the following. 

1 . Each round is subdivided into two sub-rounds. 

2 . In first sub-round, P2 sends the first qubit of its list for 
that round to Pi. 

3 . In second sub-round. Pi sends the second qubit of its list 
for that round to P2. 

4 . After receiving the qubits from P2, Pi measures the two 
qubits in Bell basis. 

(a) If in any round I the measurement result is I93), Pi 
aborts the protocol and reports forgery by P2. 

(b) Otherwise, if the measurement result is l^o)? 
concludes fi{xi,yj) — 0 . If it is I51), concludes 
fi{xi,yj) — 1 . If it is 152)5 concludes _L. 

5 . After receiving the qubits from Pi, P2 measures the two 
qubits in Bell basis. 

(a) If in any round I the measurement result is I53), P2 
aborts the protocol and reports forgery by Pi. 

(b) Otherwise, if the measurement result is l^o)? 
concludes f2{xi,yj) — 0. If it is I51), concludes 
f2{xi,yj) — 1 . If it is 152)5 concludes _L. 

Output: 

1. Pi and P2 obtain their outputs in iteration r. 

2 . If P2 aborts in round Z, i.e., does not send its share at 
that round and Z < n, Pi outputs _L. If Z > r, Pi has 
already determined the output in iteration r. Thus it 
outputs that value. 

3 . If Pi aborts in round Z, i.e., does not send its share at 
that round and Z < r, P2 outputs _L. If Z > r, P2 has 
already determined the output in iteration r. Thus it 
outputs that value. 


Algorithm 4: 


chosen according to a geometric distribution ^(7), where 
the parameter 7 in turn depends on the utility values of 

the players. We here assume that 7 < utn_ij'nn ■ An¬ 
other assumption is that if any player chooses abort in 
any round /, we tell him whether this round is the reve¬ 
lation round or not [l8j| . The term and condition of the 
game is that knowing whether the round is the revelation 
round or not, no player can revise his decision. Now we 
show that under this restriction and an assumption that 

^TT _jjN N 

7 < ijrN_jjl4N , our protocol achieves fairness. 


A. Security Analysis 

A Byzantine player can manipulate the share as well 
as can abort early. Firstly, we analyze the security issues 
assuming that the player manipulates the share. Sec¬ 
ondly, we analyze fairness of the protocol considering 
early abort of the corrupted player. 


1. Security against Forgery 

Without loss of generality, let us assume that Pi is 
corrupted by the Byzantine adversary and can manipu¬ 


late the share (here, qubit). He can send an arbitrary 
qubit to P2 or can swap the qubits of his list and can 
send an uncorrelated qubit to P2 ■ The analysis is almost 
same as Subsection IIV A II The forgery is detected with 
significant probability. 

If no cheating occurs, then in round I ^ r, P2 will get 
|(?2) = | 0 )^ 11)2 + |l)i 10)2 . Now, let us assume that 

Pi sends an arbitrary share \(f)) = [a 10)3 -|-/3 11)3] instead 
of the correct one. Thus, at round I 7^ r, the state at the 
end of P2 would be 


P2 = [trp,{p)]{p3) 

= 11)2 (l|(|an 0 ) 3 ( 0 |+a */3 11)3(01 

+a/ 3 *| 0 ) 3 (l| + |/ 3 ni) 3 (l|) 

+ 10)2(01 (|an0)3(0|+a */3 11)3(01 
+0/1*10)3 (l| + |/?ni) 3 (l|)\ 

where p = 5(10)71)2 + |l)i |0)2)((0|i (II2 + (l|i (OI2) 
and p3 = [|ap 10)3(01 + a*/?|l)3(0| + a/ 3 * 7)3 ( 1 | + 

l/ 3 ni) 3 (l|]- 

P 2 will measure qubit 2 and qubit 3 . After measure¬ 
ment, P 2 will get either \go) or \gi) or I52) or I53) with 
probability j instead of \g2) only (see Section PV A II) . 
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As P2 has no idea about the position of the revelation 
round, when he gets jgo) or l5i)j he conclude that this 
is the revelation round. When he gets 1^2), he concludes 
that I ^ r. Only if he gets l^s), he immediately concludes 
that Pi is cheating. The success probability of detecting 
such cheating for a round I ^ r is j. 

Similarly, when Z = r, if Pi does not cheat, P2 would 
get either \go) or jgi) depending on the value of f2{xi, yj). 
However, if Pi cheats, when measured, P2 will get any 
one Bell state. In case of |go) and l^i), he can not de¬ 
tect the cheating because he does not know the value of 
f2{xi,yj) a priori. Again, if he gets \g2) he also does not 
detect the cheating, as in this case, he concludes that 
I ^ r. P2 can immediately detect the cheating with cer¬ 
tainty if and only if he gets jga). Thus, the success prob¬ 
ability of detecting the cheating when Z = r is also j. 
As, Pi have no idea about the position of r, the average 
success probability of P2 to detect such cheating for a 
round Z is 

i Pr(Z 7^ r-) -b - Pr(Z = r) = ^[Pi'(Z < r) -b Pr(Z > r)] 

4-7 Pr(Z = r). 

4 

We do not bother about Pr(Z > r) because, P2 should 
have no incentive to detect the cheating when Z > r, as 
he has already got f2{xi,yj) in round r. Thus the total 
success probability of detecting the cheating is 

i Pr(Z < c) -b i Pr(Z = r) = i(l - 7) -b ^7 = i 

According to our protocol, if P2 detects cheating, he 
will abort the protocol. Thus, if 7 < Ui'^, Pi has no 
incentive to forge in any round. Same thing happens if 
we assume that P2 is corrupted by the adversary. 

Theorem 4 . In rational setting, the success probabil¬ 
ity of an honest player to detect cheating in an arbitrary 
round I by a player who is corrupted by a Byzantine ad¬ 
versary is 7. 

Theorem 5 . In rational setting, if j , where w € 

{1, 2 }, no player has any incentive to forge in a round 1. 

Same conclusion can be drawn if we assume that Pi 
swaps the quits of his list and sends an uncorrelated qubit 
to P2. 

2. Fairness against Early Abort 

We have mentioned earlier that a player who is cor¬ 
rupted by a Byzantine adversary can abort early. As Pi 
is always computing its output first followed by P2, the 
aborting of Pi plays an important role to achieve the fair¬ 
ness of the protocol. The early abort of P2 will terminate 
the protocol up to that round in which P2 aborts. In that 
case, either both get the correct outputs or none gets the 
correct outputs. Thus, early abort of P2 does not affect 


the fairness condition. We now concentrate on the early 
abort of Pi. 

Let us assume that Pi aborts in round Z. According 
to our protocol if Pi declares early abort, we will tell 
whether the round is the revelation round or not. Know¬ 
ing that Pi can not revise his decision. If Z < r, Pi gets 
I52), whereas P2 outputs T. That means in this case, 
the utility of Pi is (no one gets the output). If Pi 
aborts in round I = r, Pi gets either \go) or jgi) depend¬ 
ing on the value of fi{xi,yj) and P2 outputs T. In this 
case, the utility of Pi is Ui^ {Pi gets the output and 
P2 does not). Pi should have no incentive to abort in 
round Z > r, as in this case Pi and P2 both have already 
obtained the value of the function in iteration r. Thus, 
the expected utility of Pi is 

Pf ^ Pr(Z < r) -b U™ Pr(Z = r) = Pf ^(I - 7) -b Pi^^7 

JjXT _uNN 

According to our assumption that 7 < jjtn _ij'nn , we 

can write P]^'^(I — 7)-b Pf’'^7 < Ui'^. Hence, Pi should 
have no incentive to abort early in the protocol and the 
protocol achieves fairness. 

Theorem 6 . In rational setting, provided IZi (Sec- 
tion 1771 ). 0 < 7 < I and P™ + (1 — for 

all w € {1,2}, the protocol achieves fairness. 

Now we are in a position to prove strict Nash equilib¬ 
rium for our protocol 

Theorem 7. In rational setting, provided 7 < , IZi 

(Section 1771 ). 0 < 7 < 1 and + (1 — 
for all w S {1,2}, the protocol achieves strict 

Nash equilibrium. 

Proof. In Theorem 0 it has been shown that if 7 < , 

where w € {1,2}, no player has any incentive to cheat. 
It will be better for him to follow the suggested strategy 
as by cheating he can not increase his payoff. Further 
in Theorem [51 we proved that provided TZi f Section HD) . 
0 < 7 < 1 and + (1 - for all w G 

{1,2}, no player has any incentive to abort early. In this 
case also, deviation from the suggested strategy does not 
help him to gain more payoff. In other word, we have 
Uw{(y'wj~^-w) < u.ui{~^) for any player P^,, w G {1,2} 
and hence the player P^, always follows the suggested 
strategy. □ 

VI. SECURE TWO-PARTY COMPUTATION 
INVOLVING EMBEDDED XOR 

In this section, we first describe the embedded XOR 
problem proposed by Gordon et al. M- Let us denote 
two players by Pi and P2. Player Pi is given an ordered 
list {xi, X2, X3} and P2 is given an ordered list {yi,y2}- 
Pi randomly chooses the input from the ordered list and 
sent to the dealer. P2 also randomly chooses the input 
from his list and delivers to the dealer. Dealer calculates 
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the function. For convenience, we here recall the table 
for / given in H- 



yi 

y2 

Xi 

0 

1 

X2 

1 

0 

X3 

1 

1 


The function can be described as 

/.(x..) = (‘ (2) 

1^0 

where, x and y denote the inputs from Pi and P2 re¬ 
spectively and w € { 1 , 2 } The protocol proceeds in a 
series of M iterations, where M = a;(logA), A is the 
security parameter. The dealer chooses the revelation 
round r according to geometric distribution with param¬ 
eter 7. The dealer then creates two sequences {o/j and 
{6;}, ^ = 1,2,..., M, as follows. 

For Z > r, ai = fi{x,y) = h = f2{x,y). 

Foy I < r, ai = fi{x,y), bi = f2{x,y), 

where x (or y) is a random value of x (or y) chosen by 
the dealer. 

Next, the dealer splits the secret a/ into the shares aj 
and of, and the secret 6/ into the shares bj and bf, so 
that ai = a] 0 af and 6; = b] © bf, and gives the shares 
{(a}, bj)} to Pi and the shares {{af, bf)} to ^2- In each 
round I, P2 sends af to Pi, who, in turn sends bj to 
P2. Pi (res. P2) learns the output value fi{x,y) (res. 
f2{x,y)) in iteration r. Here we assume that the dealer 
who will distribute the shares is honest and can compute 
the function described in Equation ([ 2 ]). 

The algorithms in the Byzantine setting are the same 
as those in the fail-stop setting except some additional 
steps. In Byzantine setting, the shares are signed by the 
dealer. Exploiting MAC signature we can resist a player 
to send a false share. 


VII. QUANTUM PROTOCOL FOR EMBEDDED 
XOR IN NON-RATIONAL SETTING 

We suitably modify the classical protocol by Gordon et 
al. to propose a quantum solution of the embedded XOR 
problem. As in the quantum protocol to solve the mil¬ 
lionaires’ problem, here also we exploit entangled states 
to obtain the security. 

Now we describe the protocol. Let Pi is given an or¬ 
dered list {a;i,a;2,X3} and P2 is given an ordered list 
{?/i7 2/2}- Pi randomly chooses an input x from his or¬ 
dered list and sends to the dealer. Similarly, P2 also 
chooses an input y randomly from his ordered list and 
sends to the dealer. Dealer computes the function and 
creates two sequences {ai} and {6;}, I = l,2,...,m, 
where m is the total number of the round in such a way 
that 


For I > r, ai = fi{x, y) = bi = f2{x, y) and 
FoyI < r, ai = fi{x,y), bi = f2{x,y), 
where x (or y) is a random value of x (or y) chosen by the 
dealer. In quantum domain, the two sequences {ai} and 
{bi} are distributed by exploiting the qubits of entan¬ 
gled states. The mechanism is described in Algorithmic] 
{QEShareGen) and Algorithm [6] (IIpj^^). 


A. Security Analysis 

In this subsection we discuss the security issues against 
a Byzantine adversary. First, we analyze the sensitiv¬ 
ity of our protocol to detect a cheating by a Byzantine 
player. Then we analyze the fairness issue when a player 
aborts early. 


1. Security against Forgery 


Without loss of generality, we assume that Pi is cor¬ 
rupted by the Byzantine adversary and tries to manip¬ 
ulate the qubits. According to our protocol, in any 
round I < r, if Pi does not cheat, P2 will measure ei¬ 
ther |go) or |gi) depending on the value of bi. However, 
when Pi cheats, the case will be different. Let us as¬ 
sume that in round I < r. Pi sends an arbitrary qubit 
\ 4 >) = a 10)3 + P 11)3 to P2. Here, we assume that if Pi 
would not cheat at the round I, P2 would receive \go)- 
Same thing happen if we assume that P2 will receive \gi). 
Thus the final state at the end of P2 would be 


P2 = [trp,ip)]{p3) 

= 11)2 (l|(|on 0 ) 3 ( 0 |+a */3 11)3(01 


+0/3*10)3(11 


11)3(11) 


10)2(01 (iano)3 (01+0*^11)3(01 


+0/3*10)3(11 


11)3(11 


where p = 5(10)3 |1)2 + |l)i |0)2)((0|i (II2 + (l|i (OI2) 
and p3 = [|op 10)3 ( 0 | + o */3 11)3(0! + o/ 3 * 10)3 ( 1 | + 

I/ 3 P| 1 ) 3 ( 1 |]- 

P2 will measure qubit 2 and qubit 3 . Thus, after mea¬ 
surement, P2 will get either jgo) or \gi) or \g2) or \g3) with 
probability j instead of jgo) only (see Section lTV A 1 } . As 
in round I < r, P2 will measure either jgo) or jgi) with¬ 
out any cheating, when he gets jgo) or jgi), he can not 
detect cheating. If he gets \g2) or |g3), he immediately 
concludes that Pi is cheating. Thus, the success proba¬ 
bility of detecting such cheating for any round / < r is 1. 
After the revelation round, P2 has no incentive to detect 
cheating as P2 has already got the correct output. Thus, 
we can write the expected success probability of P2 to 
detect cheating by Pi is 


i Pr(/ <r) + ^ Fy {1 = r) = i(l - 7) + I7 = 1. 
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The same situation arises when we assume that P 2 is 
cheating. 

Theorem 8. In non-rational setting, in an arbitrary 
round I < r, the success probability of an honest player to 
detect cheating by a player who is corrupted by a Byzan¬ 
tine adversary is 

The swapping of the qubits in a round i.e interchanging 
the position of the 1 st and 2 nd qubits can be analyzed 
in the same manner. 


2. Fairness against Early Abort 

In this subsection we will show how the fairness condi¬ 
tion is maintained when a player corrupted by a Byzan¬ 
tine adversary aborts the protocol prematurely. Let us 
assume that Pi aborts in round 1. As Pi is always com¬ 
puting its output first followed by P2, the aborting of 
Pi plays an important role to achieve the fairness of the 
protocol. The early abort of P2 will terminate the pro¬ 
tocol up to that round in which P2 aborts. In that case, 
either both get the correct value or none gets the correct 
value. Thus, early abort of P2 does not affect the fairness 
condition. 

According to our protocol, if Pi aborts in a round I < r, 
P 2 outputs bi-i = f 2 (x,y). In this case Pi outputs a; 
which is equal to fi{x,y). In ideal model, for I < r the 
trusted party sends fi[x,y) to Pi and f 2 {x,y) to P 2 . 
Thus, if Pi aborts in round I < r, Pi gets fi{x,y) and 
the trusted party sends f 2 {x,y) to P 2 - Thus for I < r, 
we get 

Pr ^(viEWideaiix, y),OUTideai(x, y)) = (/(a:, y),f{x, y))\l < rj 

= Pr \^(viEWhybrid{x,y),OUThybrid{x,y)^ = {f{x,y),f{x,y))\l < 

r]. 

When I = r, Pi has already got the correct output 
whereas P 2 outputs br-i = f 2 (x, y). In ideal model, when 
I = r, the trusted party sends fi(x,y) (res. f 2 {x,y)) to 
Pi (res. P 2 ). The following analysis shows how fairness 
is maintained in this case. 

Here, we first recall the table for embedded XOR. We 
get that in case of Pi, Pr[/i(a;i,y) = 0 ] = Pr[/i(a;2,y) = 
0 ] = Pr[y G {yi,y2}] = 5 and Vi[fi{xi,y) = 1] = 
Pr[/i(a;2,y) = 1] = Pr[?/ G {yi,y2}] = \ whereas 
Pp[fi{x3,y) = 0 ] = 0 and Pr[/i(a;3,y) = 1] = 1 . In 
case of P2, Pr[/2(i,y) = 0 ] = Pr[a; = cci] = | and 
Pi[f2{x,y) = 1] = Pr[x G {x2,X3}] = |. Thus, we can 
write the followings. 


Pr[ 

(^VIEWideal 

<Xx, y),OUTidea., 

d^>y)] 

1 =(0,0) J = r] 

1 1 

“ 3 3 ’ 

Pr [ 

(viEWideal 

;(x, y),OUTidea.^ 


1 =(0.1) i = r] 

1 2 

“ 33 ’ 

Pr[ 

(yiEWid^al 

;(x, y), OUTidea, 


1 =(1.0) ; = r] 

2 1 

“ 33 ’ 

Pr[ 

(viEWideal 

;(x, y), OUTidea.^ 


1 =(l.l)' = r] 

2 2 

“ 3'3' 


Similarly, in hybrid world, 



Pr ^(viEWhybridix,y),OUThybridix:, y)^ 

1 = (0,0) Z = r] 

1 1 

“ 3'3’ 

Pr ^(viEWhybridix, y), OUThybr-id{x,yf^ 

I =(0.1) / = r] 

1 2 

“ 3'3’ 

Pr Y,yiEWhybrid(x, y), OUThybr-id{x,y)'^ 

1 =(1.0) / = r] 

2 1 

“ 3 3’ 

Pr [(v/BWhabridla;, y), OUThybrid(x,y)'^ 

1 =(1.1) Z = r'] 

2 2 

“ 3'3' 


Above probability calculations show that when I = r the 
adversary does not do more harm in hybrid world than 
that he can do in the ideal world. Thus, our protocol 
achieves fairness. 

Fairness is obvious if we consider the abort of Pi at 
a round I > r, as in this situation, both in ideal world 
and in hybrid world. Pi as well as P 2 obtain the correct 
output in iteration r. 

Theorem 9. In non-rational setting, in an arbitrary 
round I, the protocol achieves fairness consider¬ 

ing early abort of a corrupted player. 


VIII. QUANTUM PROTOCOL FOR 
EMBEDDED XOR IN RATIONAL SETTING 

In rational setting fairness means either everyone gets 
the correct output value or none gets it. Thus, in rational 
setting, we redefined the fairness condition (Section HIl) . 
It is immediate that when Pi chooses x = X 3 , he should 
have no incentive to continue the game, as in certainty, 
he knows that the output value is equal to 1. In this 
situation, P 2 outputs f 2 {x, y) which may be 0 with prob¬ 
ability ^ and may be 1 with probability |. Thus, fairness 
condition in rational setting is violated. To mitigate the 
problem, we have to modify our protocol. In rational 
setting, we only modify step 2 of the output portion of 
the protocol If Pi aborts in any round I < r, 

instead of bi-i, P 2 outputs 1. Now, we will show how 
our new protocol achieves fairness under some 

suitable choice of the parameters in the rational setting. 


A. Security Analysis 

The security analysis against Byzantine adversary in 
rational setting is proceed exactly the same manner as 
the security analysis against Byzantine adversary in non- 
rational setting. We first analyze the cheating situation 
and then will discuss the fairness issue when a player 
aborts early. 


1. Security against Forgery 

This goes exactly the same way as it goes in non- 
rational setting. 
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Inputs: 

The inputs of the QEShareGen are x from Pi and y from P2. 

If one of the received inputs is not in the correct domain, then 
both the parties are given _L. 

Computation: 

Dealer does the following; 

1 . Chooses r according to a geometric distribution ^(7) 
with parameter 7 and sets it as the revelation round, i.e., 
the round in which the value of f{x, y) — (0, 0) or (1, 1). 

2 . Chooses d according to the geometrical distribution ^(7) 
and sets the total number of iterations as m = r + d. 

3 . For Pi 

(A) For Z < r, in each round, the dealer calculates 

ai = fi{x, y), where y is a random variable chosen by the 
dealer from the ordered list of P2. 

(i) If ai — 0 , prepares |yo)- We call it |yo)<r' 

(ii) If ai — 1 , prepares |yi). We call it 

(B) For I > r, the dealer calculates ai = fi{x, y). 

(i) If ai — 0 , prepares |yo)- We mark it as 

(ii) If ai — 1 , prepares |yi). We mark it as |yi)^^- 
For P2 

(A) For Z < r, in each round, the dealer calculates 

bi — f2{x, y), where x is a random variable chosen by the 
dealer from the ordered list of Pi. 

(i) If bi = 0 , prepares Ipo)- We call it |yoO<r' 

(ii) If bi — 1 , prepares |yi). We call it 

(B) For Z > r, the dealer calculates bi — /2(x, y). 

(i) If bi — 0 , prepares |yo)- We mark it as |yQ )>^- 

(ii) If bi — 1 , prepares |yi). We mark it as 

Output: 

1 . For Z G { 1 , 2 , . . . , m} dealer prepares a list listuj of 
shares for each party Puj, where w G {1, 2} such that: 

(a) For Z < r, in each round Pi is given the first half 

from |5o)<r l^i)<r on the value of aj. 

This qubit is marked as 1 st qubit for that round. Pi is 
also given the first half from \ 9 q}^^ or 

depending on the value of bi. This qubit is marked as 
2nd qubit for that round. 

(b) For Z > r, in each round Pi is given the first half 
from |5o)>r l^i)>r depending on the value of a;. 

This qubit is marked as 1 st qubit for that round. Pi is 
also given the first half from |5o )>r \ 9 i}>r 

depending on the value of bi. This qubit is marked as 
2nd qubit for that round. 

(c) Similarly, for Z < r, in each round P2 is given the 

remaining half from or |5i)<r depending on the 

value of ai. This qubit is marked as 1 st qubit for that 
round. P2 is also given the remaining half from |yQ 

or depending on the value of bi. This qubit is 

marked as 2nd qubit for that round. 

(d) For Z > r, in each round P2 is given the remaining 

half from or |yi)^^ depending on the value of ai. 

This qubit is marked as 1 st qubit for that round. P2 is 
also given the remaining half from |yo0>r \ 3 i')>r 
depending on the value of bi. This qubit is marked as 
2nd qubit for that round. 

2 . Each list consists of 2 m number of qubits. 


Algorithm 5: QEShareGen 

Theorem 10. In rational setting, in an arbitrary round 
I < r, the success probability of an honest player to de¬ 
tect cheating by a player who is corrupted by a Byzantine 
adversary is i. 

If , where w G { 1 , 2 }, is greater than i, Py, should 
have no incentive to cheat. Thus, 

Theorem 11. In rational setting, if ^ , where 


Inputs: 

Each of Pi, P2 receives his corresponding list of shares. 
Computation: 

The players do the following. 

1 . Each round is subdivided into two sub-rounds. 

2 . In first sub-round, P2 sends the first qubit of its list to 

Pi. 

3 . In second sub-round, Pi sends the second qubit of its list 
to P2. 

4 . After receiving the qubits from P2, Pi measures the two 
qubits in Bell basis. If it will be |yo): then concludes 

ai — 0 . If it will be |yi), concludes ai — 1 . 

5 . After receiving the qubits from Pi, P2 measures the two 
qubits in Bell basis. If it will be |yo)) then concludes 

bi — 0 . If it will be |yi), concludes bi — 1 . 

6 . If in any round, any player P^, measures |y2) or lya), he 
immediately aborts the protocol and reports forgery by 
the other player. 

Output: 

1 . If P2 aborts in round Z, i.e., does not send its share at 
that round and Z < r, Pi outputs ai — i. If Z > r, Pi has 
already determined the correct output in iteration r. 
Thus it outputs that value. 

2 . If Pi aborts in round Z, i.e., does not send its share at 
that round and Z < r, P2 outputs bi_i. If Z > r, P2 has 
already determined the correct output in iteration r. 
Thus it outputs that value. 


Algorithm 6: 

w G { 1 , 2 }, no player has any incentive to forge in a 
round 1 . 


2. Fairness against Early Abort 

The analysis against Byzantine adversary when he 
chooses early abort is analyzed in this subsection. We do 
not bother about the early abort of P2, as early abort¬ 
ing of P2 does not affect the fairness condition of the 
protocol. 

Early abort by Pi 

Now, we discuss each case one by one. 

Case 1: a; = Xi. We have Pr(a/ = 0 |a; = xi) = Pr(y = 
yi) = i and Pr(a/ = l|a: = ii) = Pr(y = 2/2) = 5, for 
I < r. Note that for I = r. Pi will abort after receiving 
the exact value of y. Hence, in case oi y = yi, 

Pr(ar = 0 |(a;i,?/i)) = l,Pr(a,. = l|(a:i,yi)) = 0 

and in case of y = 2/2, 

Pr(ar- = 0|(xi,?/2)) = 0,Pr(ar = l|(a;i,y2)) = 1- 

Subcase 1(a): y = yi. Now, we have Pr(6/ = Ojy = 
yi) = 0 and Pr{bi = l\y = yi) = 1 . 

The following table enumerates the different possibili¬ 
ties for Ui when x = xi and y = yi. 
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{ai,bi) 

Ui 

Probability 

1 < r 

1 = r 

(0,0) 

ur 

(I-7). 1.0 = 0 

0 

II 

0 

(0,1) 


(l 7 ).i .1 = (1 7 ). 1 

7 • 1 • 1 = 7 • 1 

(1,0) 


(1 7 ). 1 .0 = (l- 7).0 

0 

II 

0 

0 

(1,1) 

pNN 

(l_ 7 ).i .1 = ( 1 _ 7 ). 1 

0 

II 

0 


Thus, the expected utility of Pi in this case is 


E[Ui\{xi,yi)\ 


(1-7) 

(1 + 7) 

2 



1 

2^ 


NN 

1 


, (1-7) 
2 



Subcase 1(b): y = yo. Now, we have Pr(6; = Olu = 
y.) = 0andV;(5"=l|, = ,,) = !. 

The following table enumerates the different possibili¬ 
ties for Ui when x = xi and y = y2- 


(az,&i) 

Ui 

Probability 

1 < r 

1 = r 

(0,0) 

^NN 

1 

0 

II 

1 

0 

0 

II 

0 

0 

(0,1) 

ur 

(l- 7 ).i.l = (l- 7 ).i 

0 

II 

0 

(1,0) 

u™ 

(1 - 7) • 1 • 0 = (1 - 7) ■ 0 

0 

II 

0 

(1,1) 

ur 

(l- 7 ).^l = (l- 7 )-l 

7 • 1 • 1 = 7 


Thus, the expected utility of Pi in this case is 


Now, combining all two subcases, we get 


E[Ui\xi] 

= E[Ui\(xi,yi)\ ■ Pr(y = yi) + E[Ui\[xi,y 2 )] ■ Pr(y = 2/2) 


(i±2) [u^n\ ^ (I-7) (jjNn\ 




2 

(1 + 7) 




2 


(t/r 




2 

(1 + 7) 


(ur + ur) ++ 


1 

2 

1 

' 2 

NN 


Ui 


nt\ 


■ 


If the above expression is greater than or equal to , 
Pi chooses abort. Thus, for fairness, we need to ensure 

that Ur > ^ {u^^ + ur) + ^ {ul^^ + ur ), 
i.e.. 


- C/f ^ 

JJTN ^ ^TT _ ^NN _ ^NT ' 


( 3 ) 


Case 2: x = X 2 - The analysis is similar and we obtain 
the same expression for E\Ui\x2\- More specifically, we 
have the following observation. 

Subcase 2(a): y = yi- The analysis is exactly identical 
to Subcase 1 (b). 


Subcase 2(b): y = 2/2. The analysis is exactly identical 
to Subcase 1 (a). 

Case 3: x = X 3 . When x = X 3 , Pi will abort as he knows 
the output with certainty. In this case, he needs no help 
from P2 to compute the function. However, when Pi 
chooses to abort, P2 outputs 1 . Thus, for x = X3, both 
get the correct output of the function. The utility for 
both the player is w £ { 1 , 2 }. Hence, the fairness 

condition in rational setting is always maintained. 


3. Fairness Condition 

From the above analysis, we can state the following 
result. 

Theorem 12. ProvidedTZi (Section\l^, — U(^^) + 
(t/P - > (I/f^ - and 

^TTTT tjTN tjNN jtNT 

the protocol achieves fairness. 

Proof. The proof follows from Equations ([ 3 ]). The addi¬ 
tional condition 

{U^ - C/f^) + (t/f^ - ( 4 ) 

follows from the fact that for 7 to be meaningful, the 
numerator 3 C/^^ — — Ui'^ must be > 0. 

_jjTN _jjN N _^NT 

Further, from the condition 7 < ^fN^uTT_^NN_^NT , 
it is easy to see that the natural restriction 7 < 1 always 
holds. □ 

In Equation ([ 4 ]), all the three terms within the paren¬ 
theses are non-negative according to TZi . 


4. Strict Nash Equilibrium 

Combining the above results, we can state the follow¬ 
ing. 

Theorem 13. Provided ^ for w £ { 1 , 2 }, TZi 

(Sectionim, (C/f^ - t/f^) -k (C/f^ - C/f"^) > {Uf'^ - 

Ui'^), and 

ottTT ttTN ttNN ttNT 

0 < 7 < ^^ 

^ U™ + ur - U^^ - ’ 

the protocol achieve strict Nash equilibrium. 

Proof. From Theorem [Til we get that provided ^ 
for tc £ {1, 2}, no player has any incentive to cheat as he 
can not increase his payoff by cheating. In case of early 
abort, P 2 cannot maximize his utility, as early abort of 
P 2 will terminate the protocol and in that case either no 
one gets the correct output (C/^^) or both get the correct 
output So P 2 never achieves U™ by aborting 
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early. However, it is Pi who can achieve by aborting 
early, as Pi always computes the output first followed by 
P 2 . But in Theorem we proved that provided TZi 

(Section HU, - t/f^) + (C/f^ - t/f^) > (C/f^ - 

'triTT tjTN ttNN ttNT 

Ui ), and 0 < 7 < urN^jjTr_fjkN_fjNr , Pi bas no 
incentive to abort early. Thus, we can say that for every 
player Pw, w G {1,2}, -w) < Uwi~^) holds and 

hence no one deviates from the suggested strategy. □ 

IX. CONCLUSION AND FUTURE WORK 

In 1997, Lo Q showed the impossibility of secure two- 
party quantum computation of certain functions, when 
one of the parties is malicious. In this direction, we ob¬ 
tain a positive result for two types of functions. This does 
not contradict with the generalized impossibility results 
of 0 in broadcast channel model, since we show our 


results in non-simultaneous channel model. 

Further, for the first time, we introduce the idea of se¬ 
cure two-party quantum computation with rational play¬ 
ers. When one moves from the non-rational domain to 
a rational one, the definition for fairness changes. Thus, 
we modify the protocols to achieve fairness in rational 
setting. In addition, we prove strict Nash equilibrium for 
our proposed protocols in rational setting. 

We have shown that secure two-party quantum compu¬ 
tation is possible for any function without an embedded 
XOR and for a particular function with an embedded 
XOR. Thus, it remains an open question whether se¬ 
cure two-party quantum computation is possible for any 
function with an embedded XOR. Moreover, generaliza¬ 
tion of the two-party protocols to n-party scenario would 
be an interesting future work, particularly, in the non- 
simultaneous channel model. 
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